Hello,
syzbot found the following crash on:
HEAD commit: b7e40c3d Merge 4.14.75 into android-4.14
git tree: android-4.14
console output:
https://syzkaller.appspot.com/x/log.txt?x=153cc5a1400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=83372ecdbe063bdb
dashboard link:
https://syzkaller.appspot.com/bug?extid=fc205e4925d4f926f3ff
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=14935e5e400000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=17f8634e400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+fc205e...@syzkaller.appspotmail.com
INFO: task syz-executor498:8201 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor498 D28920 8201 1957 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
__do_page_fault+0x868/0xb60 arch/x86/mm/fault.c:1361
page_fault+0x42/0x50 arch/x86/entry/entry_64.S:1104
RIP: 6e1320:0x2d
RSP: 0001:00007ffdfd0ffd90 EFLAGS: 00000001
INFO: task syz-executor498:8208 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor498 D28856 8208 1957 0x80000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447209
RSP: 002b:00007fb46a086da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000006dcc28 RCX: 0000000000447209
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dcc28
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c
R13: 6e69752f7665642f R14: 00007fb46a0879c0 R15: 0000000000000000
INFO: task syz-executor498:8214 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor498 D29488 8214 1957 0x80000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447209
RSP: 002b:00007fb46a044da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000006dcc48 RCX: 0000000000447209
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dcc48
RBP: 00000000006dcc40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc4c
R13: 6e69752f7665642f R14: 00007fb46a0459c0 R15: 0000000000000003
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: (tasklist_lock){.+.+}, at: [<ffffffffad002247>]
debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541
2 locks held by getty/1759:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffadb2f070>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffadb2a5ef>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor498/8201:
#0: (&mm->mmap_sem){++++}, at: [<ffffffffaceb4368>]
__do_page_fault+0x868/0xb60 arch/x86/mm/fault.c:1361
1 lock held by syz-executor498/8208:
#0: (&mm->mmap_sem){++++}, at: [<ffffffffacee5962>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffffacee5962>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor498/8214:
#0: (&mm->mmap_sem){++++}, at: [<ffffffffacee5962>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffffacee5962>] do_exit+0x512/0x2800
kernel/exit.c:852
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 4.14.75+ #18
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x574/0xa70 kernel/hung_task.c:252
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 8212 Comm: syz-executor498 Not tainted 4.14.75+ #18
task: ffff8801da9d2f00 task.stack: ffff8801cdd60000
RIP: 0010:preempt_latency_start kernel/sched/core.c:3141 [inline]
RIP: 0010:preempt_count_add+0xa7/0x130 kernel/sched/core.c:3164
RSP: 0018:ffff8801cdd67a80 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffffffae649df1 RCX: 1ffff1003b53a6e5
RDX: 1ffff1003b53a805 RSI: 0000000000000000 RDI: ffff8801da9d4028
RBP: ffff8801cdd67a90 R08: ffffffffad200234 R09: 0000000000000000
R10: ffff8801cdd67c40 R11: 0000000000000000 R12: ffff8801da9d2f00
R13: 0000000000000000 R14: ffff8801cdf3cf60 R15: ffffffffad200234
FS: 00007fb46a066700(0000) GS:ffff8801db800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001f88 CR3: 00000001cde9c004 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__mutex_lock_common kernel/locking/mutex.c:755 [inline]
__mutex_lock+0xd1/0x1480 kernel/locking/mutex.c:893
perf_mmap+0x514/0x1370 kernel/events/core.c:5402
call_mmap include/linux/fs.h:1787 [inline]
mmap_region+0x836/0xfb0 mm/mmap.c:1731
do_mmap+0x551/0xb80 mm/mmap.c:1509
do_mmap_pgoff include/linux/mm.h:2167 [inline]
vm_mmap_pgoff+0x180/0x1d0 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1559 [inline]
SyS_mmap_pgoff+0xf8/0x1a0 mm/mmap.c:1517
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447209
RSP: 002b:00007fb46a065d98 EFLAGS: 00000212 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 0000000000447209
RDX: 0000000000000000 RSI: 0000000000002000 RDI: 0000000020bf0000
RBP: 00000000006dcc30 R08: 0000000000000006 R09: 0000000000000000
R10: 0000000000004011 R11: 0000000000000212 R12: 00000000006dcc3c
R13: 6e69752f7665642f R14: 00007fb46a0669c0 R15: 0000000000000001
Code: 00 85 c0 75 35 65 4c 8b 24 25 c0 de 01 00 49 8d bc 24 28 11 00 00 48
b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 <75> 6b 49 89
9c 24 28 11 00 00 5b 41 5c 5d c3 31 ff 31 db e8 61
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches